CESA-2008-007 - rev 1

[See all my vulnerabilities at http://scary.beasts.org/security]

[Blog if you want to subscribe to new findings is at http://scarybeastsecurity.blogspot.com/]

Browser SVG / canvas design error

There exists a combination of modern browser features which is difficult to implement securely; or more accurately, easy to implement without fully appreciating the security concerns:

• SVG support
• Support for the <image> SVG element (as one example)
• Support for an SVG target in the <img> tag
• <canvas> support
• Support for getImageData or toDataUrl on the canvas object

• Create an SVG image that loads a different-domain image as part of it
• Load this SVG image into a Javascript object
• Render this image object onto a canvas
• Steal the different-domain image via e.g. getImageData

The different browsers stack up like this:

• Opera 9.52: implements everything and impressively seems to get the security check right
• Firefox 3.0.1: does not support inline SVG images yet
• IE7: does not support hardly anything
• Safari 3.1: does not support getImageData and similar APIs
• Webkit nightly: vulnerable

More worrying possibilities exist, although I wasn't able to get them to work with brief experimentation. One possibility is to use <html:iframe> to completely break the same origin policy. It's not clear whether Webkit nightly was saved by design, chance or my failure to win a race condition in SVG rendering.

CESA-2008-007 - rev 1
Chris Evans
scarybeasts@gmail.com